Attacks on web sites in recent years has resulted in severe disruption in network services. These attacks can take any one of a number of forms including, but not limited to, SYN flooding.
In a SYN flooding attack an attacker overloads a victim's site to the point where it cannot cope with incoming traffic. Such an attack, typically, focuses on an inherent characteristic of TCP based services.
Essentially, TCP services rely on a three-way hand shaking protocol on connection set up. A client wishing to make connection with a host sends a synchronization signal (SYN) to the host and the host responds to the client with a SYN acknowledgement (ACK) reply. The client then returns an acknowledgement and the connection is established.
Upon completion of a connection the client forwards a finish (FIN) packet to the host indicating that there will be no further data or packets directed to the host and the connection is thereafter closed.
In a SYN flooding attack the attacker will typically use a false or invalid source address such that when the host returns the SYN/ACK message it does not reach a valid client. Under the TCP protocol the host stores half opened connections i.e. connections for which the third leg of the three way protocol has not been completed for a set period of time or until a system time out occurs. If, during this time interval multiple new half opened connections are established at the host site the memory allocated to retaining such connections becomes swamped and eventually is unable to receive any more SYN packets. At this stage the server or host will crash or will not respond to any new connections and the site goes out of service. Because the host is unable to receive further data the attacker has been successful in generating what is known as a denial of service attack. Denial of service attacks have become an increasingly prevalent form of a security threat and the problem, so far, has been quite difficult to solve. Several countermeasures have been proposed and can be characterized as firewall and router filtering, operating system improvements, protocol improvements and intrusion detection.
Essentially, a denial of service attack involves blocking somebody's ability to use some service on a network. As such, Denial of Service (DoS) attacks are common across the Internet with many being launched daily at various targets. Many of the attacks involve specially constructed packets designed to either take advantage of the aforementioned flaws in software, or to tie up resources within devices (packet flooding attacks).
Several methods have been proposed for detecting packet flooding types of attacks. In a paper entitled, Detecting SYN Flooding Attacks, Proc. Infocom 2002, by H. Wang, D. Zhang, and K. G. Shin, packet counting algorithms have been proposed. These algorithms attempt to detect attacks by looking for asymmetry between streams of packets. For example in the above referenced paper TCP/IP SYN flooding attacks are detected by looking for differences between the number of SYN (start connection) and FIN (end connection) packets.
According to the Wang et al paper the detection method relies on a counting argument on the SYN and FIN packets of the TCP connections. Those packets should go in pairs in any well-behaved connections. Thus, the number of SYN packets should match roughly the number of FIN packets. The simplicity of this method lies in its stateless and low computation overhead, which make the detection mechanism itself immune to flooding attacks. This simplicity allows the detection to be performed in the leaf routers that connect end hosts to the Internet.
In a yet to be published paper entitled SYN Flood Attacks: Last Mile Routers Detection by S. D'Souza, B. Howard, P. Kierstead, J. M. Robert the proposed Wang et al solution is extended to examine the packets more rigorously, taking direction into account. Essentially this paper improves on the counting algorithms described in the Wang et al paper by looking at a bi-directional method of counting SYN and FIN packets.
Since the prior art solutions rely on symmetrical transactions they may only be suitable for situations where symmetry can be found between the packets being transferred (for example: SYN-FIN). This technique may not be suitable for attacks such as ICMP (Internet Control Message Protocol) echo floods (ping attacks).